Microsoft Entra ID to make passkeys the default authentication in September
Microsoft is transitioning enterprise users to passkeys to combat rising AI-powered phishing threats, with native support for SMS and voice authentication set to end by early 2027.
Microsoft has announced a major shift in its Entra ID authentication strategy, making passkeys the default sign-in method for enterprise users starting September 1, 2026. The move, aimed at strengthening security against evolving cyber threats, will phase out Microsoft-provided SMS and voice-based multifactor authentication (MFA) by February 1, 2027. Organizations relying on these legacy methods will need to transition to passkeys or configure third-party telecom providers through the Microsoft Security Store to avoid sign-in disruptions, according to multiple sources including BleepingComputer, cybersecuritynews.com, and learn.microsoft.com.
Passkeys, which use cryptographic key pairs instead of shared secrets, are designed to be inherently phishing-resistant. Unlike SMS and voice codes, which can be intercepted via SIM swapping or social engineering, passkeys cannot be reused, guessed, or stolen through fake login pages. Microsoft cited a surge in AI-powered phishing campaigns—some achieving 54% click-through rates compared to 12% for traditional methods—as a key driver for the change. The company also highlighted that 99.6% of its own users and devices already use phishing-resistant authentication, underscoring the urgency of the transition, as reported by BleepingComputer and cybersecuritynews.com.
The rollout will occur in two phases. Starting September 1, 2026, users currently enabled for SMS or voice authentication will be automatically enrolled in passkeys. They will receive a prompt to register a passkey during their next MFA attempt. Organizations are advised to proactively migrate users to passkeys or other phishing-resistant methods before this date to prevent disruptions. By February 1, 2027, Microsoft will retire native SMS and voice capabilities, forcing users who rely solely on these methods to register a passkey during sign-in. Failure to comply will result in blocking prompts that cannot be bypassed, as outlined in sources like BleepingComputer, helpnetsecurity.com, and learn.microsoft.com.
Microsoft provides tools to help administrators identify and transition users still using SMS or voice. A PowerShell script, requiring roles such as Global Reader or Authentication Policy Administrator, can flag affected users. Organizations may also deploy passkey registration campaigns to guide users through the process. For those with legitimate business, regulatory, or technical needs to retain SMS or voice, third-party telecom providers can be configured via the Microsoft Security Store starting October 30, 2026. However, these arrangements will incur separate telecom costs, and Microsoft will not support legacy methods beyond February 2027, as detailed in cybersecuritynews.com, learn.microsoft.com, and mc.merill.net.
The shift aligns with broader industry trends toward passwordless authentication, driven by regulatory pressures such as the EU’s NIS2 compliance requirements. Microsoft emphasized that passkeys are included in all Entra plans at no additional cost, while telecom services remain a separate expense. The company also noted that passkeys support both device-bound and synced configurations, offering flexibility for enterprise deployments, according to learn.microsoft.com and mc.merill.net.
Administrators are urged to act swiftly, as the transition will be enforced globally. Microsoft warned that tenants failing to migrate users by February 2027 may face sign-in outages for employees relying solely on SMS or voice. The move reflects a broader push to modernize authentication practices, with Microsoft stating that "phishing-resistant authentication is now the default, not an opt-in feature," as noted in sources like learn.microsoft.com and mc.merill.net.